NTP, ntpdate, and ISP-based firewall

Don Levey fedora-list at the-leveys.us
Thu Mar 4 18:17:32 UTC 2004


fedora-list-admin at redhat.com wrote:

> While that's running, try 'tcpdump host 69.22.157.240' to see what
> traffic's actually going by.
>
> You should see pairs of packets something like this (this is from my
> ntp server):
>
> 09:33:19.579902 urd.ntp > tick.usnogps.navy.mil.ntp:  v4 client strat
> 0 poll 6 prec -18 (DF) [tos 0x10]
> 09:33:19.620380 tick.usnogps.navy.mil.ntp > urd.ntp:  v4 server strat
> 1 poll 6 prec -19 (DF) [tos 0x10]
> 09:34:24.581554 urd.ntp > tick.usnogps.navy.mil.ntp:  v4 client strat
> 0 poll 6 prec -18 (DF) [tos 0x10]
> 09:34:24.621438 tick.usnogps.navy.mil.ntp > urd.ntp:  v4 server strat
> 1 poll 6 prec -19 (DF) [tos 0x10]
>
> If you don't see the reply, you're getting blocked somewhere outside.
> If you -do- see the reply, you're not getting blocked, but just aren't
> acknowledging the replys (possibly due to iptables).

...And therein lies the problem:
[root at davinci etc]# tcpdump host 69.22.157.240
tcpdump: listening on eth0
13:03:33.288729 davinci.ntp > vip1.anycast.cachenetworks.com.ntp:  v4 client
strat 0 poll 7 prec -15 (DF) [tos 0x10]
13:05:41.288758 davinci.ntp > vip1.anycast.cachenetworks.com.ntp:  v4 client
strat 0 poll 8 prec -15 (DF) [tos 0x10]
13:09:57.288735 davinci.ntp > vip1.anycast.cachenetworks.com.ntp:  v4 client
strat 0 poll 8 prec -15 (DF) [tos 0x10]

I'm not getting anything back.  Feh.  Doesn't deem to make a difference
whether or not I have iptables running.  I opened port 123 on my Linksys
firewall (the real Linux firewall machine will come soon, when I have more
time to understand) and made sure it was forwarded correctly, so it looks
like the ISP is blocking.  They haven't responded to my inquire as of yet.
Anyone else running on RCN who can run ntp?

 -Don





More information about the fedora-list mailing list